[Suggestion] Workaround for apps detect bootloader unlocked through hardware attestation

[HuskyDG]

Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass.
We have tested with few good guys on Telegram and it's only working on unlocked devices with no hardware attestion (or locked bootloader, ofc). It even doesn't work after uninstalling Magisk.
https://play.google.com/store/apps/details?id=com.CIB.Digital.MB&hl=en&gl=US
As we know, we can't spoof hardware attestion.
It's time to spoof no hardware attestion or find another way around it?
Hope you will take a look!

[kdrag0n]

It's cryptographically impossible to spoof hardware attestation because it's signed with keys private to TrustZone/StrongBox, leaving vulnerabilities in the TEE or StrongBox firmware as the only option. This would be considered an actual security vulnerability in the firmware that would be patched quickly by the relevant vendor, not a simple bypass, so there's no reason to blow it on bypassing app limitations instead of reporting it to Google/Qualcomm.

[khalidaboelmagd]

so no way to make CIB banking app works ?

[HuskyDG]

yes

[HuskyDG]

Meanwhile, they can ignore Safetynet / Play Integrity result, and get the status from hardware attestation if your device has it. Broken TEE, Self-signed or unlocked will be considered suspicious traces and bypass Safetynet can be meanless.

[pndwal]

It's cryptographically impossible to spoof hardware attestation because...

But the question was whether we can

spoof no hardware attestion or find another way around it? Hope you will take a look!

to prevent bank apps from intercepting such signals independent of Play Integrity API etc...

I know MHPC originally used the "not implemented" error code from Keymaster "to simulate... an old device lacking support for key attestation"... (It now uses Zygisk "to inject code into the Play Services process and register a fake keystore provider" causing gms to throw an exception when attempting to use key attestation that effectively simulates the same failure condition resulting in a fall back to basic attestation)

I wonder if that initial approach (in combination with some prop based device simulation?) might have better convinced bank apps that hardware key based attestation is actually 'not implemented' rather than tampered ...

[chiteroman]

Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass. We have tested with few good guys on Telegram and it's only working on unlocked devices with no hardware attestion (or locked bootloader, ofc). It even doesn't work after uninstalling Magisk. https://play.google.com/store/apps/details?id=com.CIB.Digital.MB&hl=en&gl=US As we know, we can't spoof hardware attestion. It's time to spoof no hardware attestion or find another way around it? Hope you will take a look!

Yes you can, my Xposed module bypass CIB hardware attestation: https://github.com/swer45/AttestationSpoofer

[khalidaboelmagd]

Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass. We have tested with few good guys on Telegram and it's only working on unlocked devices with no hardware attestion (or locked bootloader, ofc). It even doesn't work after uninstalling Magisk. https://play.google.com/store/apps/details?id=com.CIB.Digital.MB&hl=en&gl=US As we know, we can't spoof hardware attestion. It's time to spoof no hardware attestion or find another way around it? Hope you will take a look!

Yes you can, my Xposed module bypass CIB hardware attestation: https://github.com/swer45/AttestationSpoofer

I tried it, but not working, tried keyattestation and cib , I've oneplus 7 pro

[enovella]

Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass. We have tested with few good guys on Telegram and it's only working on unlocked devices with no hardware attestion (or locked bootloader, ofc). It even doesn't work after uninstalling Magisk. https://play.google.com/store/apps/details?id=com.CIB.Digital.MB&hl=en&gl=US As we know, we can't spoof hardware attestion. It's time to spoof no hardware attestion or find another way around it? Hope you will take a look!

Yes you can, my Xposed module bypass CIB hardware attestation: https://github.com/swer45/AttestationSpoofer

FYI - it seems to fail in latest CIB v4.2.37 @swer45

[BaraaAlmodrek]

Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass. We have tested with few good guys on Telegram and it's only working on unlocked devices with no hardware attestion (or locked bootloader, ofc). It even doesn't work after uninstalling Magisk. https://play.google.com/store/apps/details?id=com.CIB.Digital.MB&hl=en&gl=US As we know, we can't spoof hardware attestion. It's time to spoof no hardware attestion or find another way around it? Hope you will take a look!

Yes you can, my Xposed module bypass CIB hardware attestation: https://github.com/swer45/AttestationSpoofer

FYI - it seems to fail in latest CIB v4.2.37 @swer45

Nope it's working.
Try this link as he changed the name of his repo
https://github.com/chiteroman/BootloaderSpoofer

[spidy2356]

Nope it's working. Try this link as he changed the name of his repo https://github.com/chiteroman/BootloaderSpoofer

thanks bro